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When the 4-state or the 6-state protocol of quantum cryp- 
tography is carried out on a noisy (i.e. realistic) quantum 
channel, then the raw key has to be processed to reduce the 
information of an adversary Eve down to an arbitrarily low 
value, providing Alice and Bob with a secret key. In princi- 
ple, quantum algorithms as well as classical algorithms can be 
used for this processing. A natural question is: up to which 
error rate on the raw key is a secret-key agreement at all 
possible? Under the assumption of incoherent eavesdropping, 
we find that the quantum and classical limits are precisely 
the same: as long as Alice and Bob share some entanglement 
both quantum and classical protocols provide secret keys. 



Quantum cryptography lies at the intersection of two 
of the major sciences of the 20th century: quantum me- 
chanics and information theory. Moreover, due to the 
intimate relation between quantum cryptography and 
quantum non-locality, another major scientific achieve- 
ment of this century, relativity, is not far away. This let- 
ter concerns the dialog between quantum physics and in- 
formation theory in the context of optimal eavesdropping 
on a quantum channel and the corresponding secret-key 
agreement that, in principle, both quantum and classi- 
cal algorithms provide. This analysis of the interplay of 
these complementary approaches reveals surprising con- 
nections. 

To provide a secure communication, quantum cryp- 
tography pI exploits quantum correlations to estab- 
lish secure keys (which are then the basis for standard 
information-based cryptosystems). Alice prepares a pair 
of qubits (i.e. a pair of spin i) in a maximally entangled 
state, sends one qubit to Bob and keeps the other one. 
Then they both measure their qubit in a basis chosen in- 
dependently at random within a set of 2 or 3 bases for the 
4- and 6-state protocols, respectively. (Alice could also 
prepare a qubit in a state compatible with one of the 
bases and send it to Bob, but the protocol with qubit 
pairs is equivalent and better suited for the purpose of 
this letter). On a perfect channel the correlations are 
maximal and the protocol is straightforward, the secure 
key results essentially without any information theoreti- 
cal algorithm. However, in practice the quantum chan- 
nel is noisy and elaborated protocols are needed. These 
require as input an upper bound on the information ac- 
cessible to the eavesdropper, a bound set by the laws of 



quantum physics. Natural questions are: up to which 
error rate is secure key agreement at all possible? This 
letter presents the answer to this question under the as- 
sumption of incoherent eavesdropping. 

Below, we first review general incoherent eavesdrop- 
ping and summarize recent results on secret-key agree- 
ment by public discussion. Then, the cases that Bob has 
more or less information than Eve are treated. 

By general incoherent eavesdropping we mean the fol- 
lowing. First, Eve lets each qubit sent by Alice to Bob 
interact with independent ancillas. The dimension of the 
ancillas and the interaction are arbitrary, except that the 
interaction is described by a unitary operator U: 
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where the ipj and (f>j are the normalized states of Eve's 
ancilla when Bob receives the qubit undisturbed and dis- 
turbed, respectively. The former case happens with prob- 
ability JF, called the fidelity, and the latter with probabil- 
ity T), called the disturbance or, equivalently, the Quan- 
tum Bit Error Rate (QBER). Next, Eve stores her ancil- 
las until she learns the bases used by Alice to encode the 
qubits. Finally, she measures her ancillas one after the 
other, using any measurement scheme compatible with 
the laws of quantum physics. Clearly, if Eve interacts 
only weakly with the qubits, then she disturbs the chan- 
nel only weakly, hence the QBER is low, but Eve gets 
little information. On the contrary, if the interaction is 
strong. Eve gains more information, but the QBER is 
larger. Optimal here means that for any given QBER, 
Eve chooses the qubit-ancilla interaction and her mea- 
surement to maximize her information. The QBER can 
be well estimated by Alice and Bob by comparing a frac- 
tion of their (classical) bits. From this and from the laws 
of quantum physics they can bound Eve's information. 

The state vectors V'j and (j)j in (n^, S) have to be such 
that they define a unitary operator U . Moreover, we 
choose them such that U has the same effect on all qubits 
sent by Alice (all the Poincare vectors are shrunk by the 
same factor). This is called symmetric eavesdropping. 
It simplifies the analysis considerably. It is important 
to note that one can assume symmetric eavesdropping 
without loss of generality, as proven in [§,^. Indeed, 
Eve can make her strategy look symmetric to Bob by 
applying arbitrary rotations R to the qubit immediately 
before and R^^ immediately after it interacts with her 



ancilla. As she knows which rotation she apphes, she 
does not lose information. From Bob's point of view, 
however, the arbitrary rotations make the disturbance 
appear symmetric. From this symmetry condition one 
obtains the foUowing relation for the fidelity T [0-0: 
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The explicit form of the -(/^i and (^j and Eve's optimal 
measurements are given in pUj for the 4-state protocol 
(BB84) and in |Q,|[ for the 6-state protocol (note that for 
the latter (0||(/)|) = 0). This provides the joint probabil- 
ity distribution Pxyz of the random variables X , Y , and 
Z to which Alice, Bob, and Eve have access, respectively. 
It turns out that Eve's random variable is composed of 
2 bits Z = [Zi,Z2], where Zi = X ®Y (e=xor), i.e., 
Zi tells Eve whether Bob received the qubit disturbed 
(Zi = 1) or not (Zi = 0) (this is a consequence of the fact 
that the -0 and cj) states in (0,0) generate orthogonal sub- 
spaces). The probability that Eve's second bit indicates 
the correct value of Bob's bit depends on whether the 
qubit was disturbed or not: Prob(Z2 = Y\X = Y) = Sq 
and Prob(Z2 = Y\X ^Y) ^Si (note that for the 6-state 
protocol Si = 1). The relevant Shannon informations are 
then: 

XBob = 1 + ^l0g2(^) + (1 - ^) log2(l - ^) (4) 

lEve =T{1 + S„ log2('5o) + (1 - So) log2(l - So)) (5) 
+ {1-T){1 + Si log2(<5i) + (1 - Si) log2(l - Si)) 

For the 4-state protocol Eve's Shannon information is 
maximal when Sq — Si = ■:^ + ^ T{\ — T). Let us con- 
centrate on the point where Xsob = Xeve, at QBERq = 

1 - J^o = ^"Y"^ - For QBERs below this threshold, Bob 
has more information than Eve, while above QBERo Bob 
has less information than Eve. We shall see that in the 
latter case Alice and Bob can still exploit their authenti- 
cated classical communication channel to overcome their 
initial drawback. Note that the noise corresponding to 
QBERo in the 4-state protocol is precisely the limit above 
which Bell inequality Q can no longer be violated |0,||,D , 
while for the 6-state protocol it corresponds to the opti- 
mal Universal Quantum Cloning Machine B. 

The situation that results when the 4-state or the 6- 
state protocol is used, and if all the parties obtain classi- 
cal random variables by carrying out measurements after 
each bit sent, is a special case of the more general sce- 
nario of secret-key agreement by public discussion from 
common information described by Maurer 1^. In this 
setting, two parties Alice and Bob who are willing to 
generate a secret key have access to repeated indepen- 
dent realizations of (classical) random variables X and 
Y , respectively, whereas an adversary Eve learns the out- 
comes of a random variable Z. Let Pxyz be the joint 
distribution of the three random variables. Additionally, 
Alice and Bob are allowed to communicate over a noise- 
less and authenticated, but otherwise completely insecure 



channel. In this situation, the secret-key rate S{X; Y\\Z) 
has been defined as the maximal rate at which Alice and 
Bob can generate a secret key that is equal for Alice and 
Bob with overwhelming probability and about which Eve 
has only a negligible amount of information (in terms of 
Shannon entropy) . For a detailed description of the gen- 
eral scenario and the secret-key rate as well as for various 
bounds on S{X-Y\\Z), see ||^. 

A first result analyses the case when Bob's random 
variable Y provides more (Shannon-) information about 
Alice's X than Eve's Z does (or vice versa): then this 
advantage can be exploited to generate a secret key: 
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This bound follows from an earlier result by Csiszar and 
Korner [n2|. It guarantees the possibility of secret-key 
agreement using error correction and (classical) privacy 
amplification whenever Bob has more information on Al- 
ice's bits than Eve. It is somewhat surprising that this 
bound is not tight, in particular that secret-key agree- 
ment is even be possible when the right-hand side of (H) 
vanishes or is negative. However, it was shown that the 
positivity of the expression on the right-hand side of (||) 
is a necessary condition for the possibility of secret-key 
agreement by one-way communication: whenever Alice 
and Bob start in a disadvantageous situation compared 
to Eve, then feedback is necessary. The corresponding 
initial phase of the key-agreement protocol is then called 
advantage distillation. 

Let us come back to quantum cryptography and first 
briefiy apply the general scenario for secret-key agree- 
ment to the case when Bob has more information than 
Eve. This case is relatively simple since, before starting 
the classical phase of the protocol. Bob has already an ad- 
vantage over Eve. Hence inequality (j^) guarantees that a 
positive secret-key rate can be achieved using only error 
correction and privacy amplification. Actually, inequal- 
ity (P) provides even a lower bound on the achievable 
secret-bit rate. 

Next, we consider the case when Bob has less informa- 
tion than Eve. This case may seem hopeless. However, 
there are still two reasons to keep optimism. First, we 
shall see that for QBERs not too large Alice's and Bob's 
qubits are still entangled, hence the technique of Quan- 
tum Privacy Amplification (QPA) |T^ can be used. Next, 
Alice and Bob can take advantage of the authenticity of 
the public channel and carry out an advantage distilla- 
tion protocol. We shall successively analyze these two 
possibilities and show that despite their differences, the 
former processing quantum information while the second 
is entirely classical, both can be applied up to precisely 
the same maximum QBERmax! 

The qubit sent by Alice to Bob is initially maximally 
entangled with another qubit that stays in Alice's hands. 
Once Bob received his qubit, Alice and Bob qubits are 
in a mixed state pab- If Pad is separable, then the cor- 



relation between Alice and Bob could be established by 
purely local operations and classical (public) discussions, 
hence there is no way for Alice and Bob to base a secret 
key on this correlation. If, however, pab is entangled, 
then it contains sonic quantum (i.e. non-classical) corre- 
lations. If Alice and Bob have many pairs of qubits, each 
in an entangled state pab , they can apply Quantum Pri- 
vacy Amplification (also called entanglement distillation 
or purification) p3| : after some local action involving 
pairs of qubit pairs and some public discussion, some 
qubits pairs will be more entangled at the cost that some 
other qubit pairs are destroyed. Repeated use of this pro- 
tocol provides Alice and Bob with qubit pairs arbitrarily 
close to maximal entanglement, as would have been ob- 
tained with a perfect channel. They can thus be used for 
secret-key agreement. 

According to the general incoherent eavesdropping 
strategy (0,0) and assuming Alice prepares the qubits 
in the singlet state, pab takes the form (in the compu- 
tational basis {| 00), I 01 ), 1 10), 1 11 )}): 
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where c,0 = (V'tl^i) ^n.'i ^^ = ((/)||0|). Using the Peres- 
Horodecki |14| separability condition, one finds that pab 
is entangled if and only if 2? > Tc^ and T > Vc^ . Using 
the explicit relations among J-', V, c^ and c^ one obtains 
the maximum QBERmax for which pab is entangled and 
thus QPA can be applied: 

for the 4 — state protocol : QBER^^^^ = 1/4 (8) 
for the 6 — state protocol : QBER^^^^ — 1/3 (9) 

Note that these bounds are not only valid for QPA, but 
more generally for any quantum algorithm. Indeed, if the 
above bounds are violated, then Alice and Bob do not 
share any entanglement, hence their correlation could be 
produced by public discussions. 

We now discuss the case when Alice, Bob and Eve are 
left with classical random variables X , Y and Z, respec- 
tively, and the mutual information Bob-Alice is lower 
than the Eve-Alice one. Alice and Bob can then not 
achieve a secret key using only error correction and pri- 
vacy amplification. Nevertheless, they can try to use an 
advantage- distillation protocol. The idea is that Alice 
uses her random variable X to send over the public chan- 



nel an iV-bit block encoding a single bit C 
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C' ■.^[Xi®C,X2®C,...,Xn®C] (10) 



Bob then computes [X^ ®C^)®Y^ and (publicly) ac- 
cepts exactly if this block is equal to cither [0,0,..., 0] or 
[1, 1, . . . , 1], corresponding to C = and C = 1, respec- 
tively. In other words, Alice and Bob make use of a repeat 
code of length N with only two codewords [0, 0, ... , 0] 



and [1,1,...,!]. In this way the probability that Bob ac- 
cepts erroneously a bit C goes down like V'^ . Eve, on her 
side, has to use a majority vote to guess the bit C. Hence 
Bob's information on C might be larger than Eve's infor- 
mation even in cases where Bob's information on X^ is 
lower than Eve's. The following theorem defines the pos- 
sibility for Alice and Bob to achieve secret-key agreement 
using classical algorithms: 

Theorem 1 Secret-key agreement is possible if and only 
if 
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holds. When applied to the 4- o,nd 6-state quantum cryp- 



tography protocols 
conditions (M) and ([,] 



this bound corresponds exactly to 
respectively. 



Recall that Sq is the probability that Eve guesses cor- 
rectly the value of a bit received undisturbed by Bob. 

Proof of Theorem 1: First, we note that the condi- 
tion (0) is clearly necessary. Indeed, for a disturbance 
T) larger than this bound the correlations between Alice 
and Bob correspond to a separable state pab which can 
be produced without any quantum channel, simply by 
public discussion. 

Next, we prove that the condition (|ll|) is also suffi- 
cient. When applying the advantage distillation protocol 
described above, Bob's conditional error probability Pn 
when guessing the bit sent by Alice, given that he ac- 
cepts, is 
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where Pa.N — 2?^ + (1 — T))^ is the probability that 
Bob accepts the received block. It is obvious that Eve's 
optimal strategy for guessing C is to compute the block 
[{C ® ATi) © Zi, . . . , (C © Xm) © Zm] and guess C as 
if at least half of the bits in this block are 0, and as 1 
otherwise. Given that Bob correctly accepts. Eve's error 
probability when guessing the bit C with the optimal 
strategy is lower bounded by 1/2 times the probability 
that she decodes to a block with N/2 bits and the same 
number of I's. Hence we get that 
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holds for some constant k and for sufficiently large N 
by using Stirling's formula. Note that Eve's error prob- 
ability given that Bob accepts is asymptotically equal to 
her error probability given that Bob correctly accepts be- 
cause Bob accepts erroneously only with asymptotically 
vanishing probability, given that he accepts. 

Although it is not the adversary's ultimate goal to 
guess the bits C sent by Alice, it has been shown that 
the fact that Pn decreases exponentially faster than 



7Ar implies that for sufRciently large N, Bob has more 
(Sh^non-) information about the bit C than Eve (see 
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for example |ll[, |10|]). Hence Alice and Bob have man- 
aged to generate new random variables with the property 
that Bob obtains more information about Alice's random 
bit than Eve has. Thus S{X;Y\\Z) > holds for this, 
hence also for the original, situation because of the bound 

fa. □ 



In conclusion, we have proven that secret-key agree- 
ment using either 4-state or 6-state quantum cryptogra- 
phy, assuming general incoherent eavesdropping, is pos- 
sible if and only if the quantum bit error rate is lower 
than that produced by the intercept-resend eavesdrop- 
ping strategy (1/4 and 1/3 for the 4-state and 6-state 
protocols, respectively). This limit corresponds to com- 
plete disentanglement and is valid as well if Alice and 
Bob use quantum information processing, like quantum 
privacy amplification, as if they use classical informa- 
tion processing, like advantage distillation [|6[. In other 
words, as long as Alice and Bob share some entanglement, 
they can use either a quantum protocol or a classical pro- 
tocol to extract a secret-key from this entanglement. 

Quantum Privacy Amplification uses 

quantum controUed-not gates, the basic building block 
of quantum computers. The latter are usually thought 
as fundamentally more efficient than classical computers. 
In the case of quantum cryptography our results demon- 
strate that the same task can be achieved with both types 
of computers, but it remains to be determined whether 
one method is more efficient than the other. The case of 
coherent eavesdropping also remains open. 

From a practical point of view it is crucial to know 
the upper error rate compatible with secret-key agree- 
ment. It is also important to have good estimates for the 
secret-key rate S{X;Y\\Z). Indeed, in practice one has 
to optimize a compromise between high raw bit rates and 
low error rates [ [l7| . 
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FIGURE CAPTIONS 

Fig. 1: Eve and Bob infonnation versus the QBER, here 
plotted for incoherent eavesdropping on the 4-state protocol. 
For QBERs below QBERo, Bob has more information than 
Eve and secret-key agreement can be achieved using classi- 
cal error correction and privacy amplification. These can, in 
principle, be implemented using only 1-way communication. 
The secret-key rate can be at least as large as the information 
differences. For QBERs above QBERq, Bob has a disadvan- 
tages with respect to Eve. Nevertheless, Alice and Bob can 
apply quantum privacy amplification up to the QBER cor- 
responding to the intercept-resend eavesdropping strategies, 
IR4 and IRe for the 4-state and 6-state protocols, respectively. 
Alternatively, they can apply a classical protocol called ad- 
vantage distillation which is effective precisely up to the same 
maximal QBER IR4 and IRe. Both the quantum and the 
classical protocols require then 2-way communication. Note 
that for the eavesdropping strategy optimal from Eve' Shan- 
non point of view on the 4-state protocol, QBERo correspond 
precisely to the noise threshold above which Bell inequality 
can no longer be violated. For the 6-state protocol a similar 
relation with optimal universal quantum cloning holds M . 
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